David Walser

**Name of the Vulnerable Software and Affected Versions** X.Org xdm versions 1.1.10 through 1.1.11 **Description** The issue allows remote attackers to cause a denial of service by attempting to log into an account with a password field containing invalid characters, resulting in a NULL pointer dereference and crash. This can be demonstrated using the crypt function from glibc 2.17 and later with specific characters in the salt portion of a password field or passwords encrypted using DES or MD5 in FIPS-140 mode. **Recommendations** For X.Org xdm versions 1.1.10 and 1.1.11, consider restricting access to accounts with potentially invalid password fields until a patch is available. As a temporary workaround, avoid using password fields with the "!" character in the salt portion or passwords encrypted using DES or MD5 in FIPS-140 mode to minimize the risk of exploitation.